Prevention of security threats and incidents described below is wiser and cheaper than forensic investigations and mitigation of the consequences of a cyber attack. Use our services to find and mitigate your security vulnerabilities before the security threat agents find them.
#1222370: AI Companies Race To Get Upper Hand In Cybersecurity — Before Hackers Do. Artificial intelligence, for all its mind-boggling potential, is a double-edged sword. Sure, AI might save lives through early cancer or heart disease detection. In cybersecurity, though, even AI companies worry that....
Posted on 21 July 2018 5:37 pm on brica.de
#1222366: DNS Rebinding Exposes Half a Billion Devices in the Enterprise. TL;DR Recent reporting showed how DNS rebinding leaves IoT and unmanaged devices vulnerable to attacks in the home. Armis has identified that enterprises are even more exposed, as almost half a billion of these devices are....
Posted on 21 July 2018 5:37 pm on brica.de
Original release date: July 19, 2018 NCCIC will conduct a series of webinars on Russian government cyber activity against critical infrastructure (as detailed in NCCIC Alert TA18-074A ), which will feature NCCIC subject matter experts discussing recent cybersecurity incidents, mitigation techniques,....
Posted on 21 July 2018 1:43 pm on www.kashifali.ca
State-actors were likely behind Singapore's biggest ever cyber-attack to date, security experts say, citing the scale and sophistication of the hack. The city-state announced Friday that hackers had broken into a government database and stolen the health records of 1.
Posted on 21 July 2018 12:11 pm on gadgets.ndtv.com
A sophisticated mobile malware campaign is gaining access to iPhones by tricking users to download an open-source mobile device management (MDM) software package. Once in control, the unidentified hackers can steal various forms of sensitive information from infected devices, including the phone....
Posted on 21 July 2018 3:48 am on www.zdnet.com
Department of Justice Cyber-Digital Task Force Report Highlights. The Cyber-Digital Task Force Report (read below or download ) begins by focusing on one of the most pressing cyber-enabled threats confronting our Nation: the threat posed by malign foreign influence operations.
Posted on 21 July 2018 3:48 am on mixnerconsulting.com
Leaders in the security sector discuss the most pressing cyberthreats threatening the United States and what can be done to mitigate them. Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously....
Posted on 21 July 2018 3:48 am on www.darkreading.com
Medical testing laboratory firm LabCorp is still working to fully recover systems functionality nearly a week after a cyberattack that the company now claims involved "a new variant" of ransomware. See Also: 2018 Risk Management: Aligning Security, Risk & Executive Teams "Our investigation has found....
Posted on 21 July 2018 12:08 am on www.govinfosecurity.com
(Flickr/CC) Mac Qin A major breach in Singapore has exposed personal information for more than 25 percent of the country's residents. But authorities say they believe the "deliberate, targeted and well-planned attack" was principally designed to steal medical information pertaining to the country's prime minister, 66-year-old Lee Hsien Loong.
Posted on 20 July 2018 8:20 pm on www.databreachtoday.in
PARIS: French lawmakers have secured a deal on a bill that would outlaw the use of mobiles phones in schools starting in September, one of Emmanuel Macron´s pledges during last year´s presidential campaign. Senators and National Assembly deputies reached the agreement late Wednesday on the ban for....
Posted on 20 July 2018 7:19 pm on www.thenews.com.pk
Magniber ransomware grows stronger and scarier. The Magniber strain of ransomware is back, stronger than before, and starting to spread through much of Asia. Cybersecurity experts are taking note of the substantial changes the malware has undergone over the past year.
Posted on 20 July 2018 7:09 pm on www.itsecuritynews.info
The government lacks urgency over addressing the shortage of cyber security skills needed to protect the UK's critical infrastructure, the Joint Committee on the National Security Strategy has warned. The Committee published a short report concluding that the shortage of specialist skills and “deep....
Posted on 20 July 2018 7:04 pm on www.itpro.co.uk
Hackers are hiding malicious code inside the metadata fields of images hosted on Google's official CDN (content delivery network) googleusercontent.com. The type of images that are being hosted on this domain are usually the photos uploaded on Blogger.com sites and the Google+ social network.
Posted on 20 July 2018 6:11 pm on www.bleepingcomputer.com
UK security experts say that Huawei telecoms equipment has shortcomings that may pose threats to telecoms networks in the country. The report, from an oversight board specially set up to evaluate Huawei equipment due to be used in UK networks, says there are "shortcomings in Huawei’s engineering....
Posted on 20 July 2018 5:31 pm on www.capacitymedia.com
PIR Bank headquarters in Moscow (Photo: Google) Hackers stole at least $920,000 from Russia's PIR Bank after they successfully compromised an outdated, unsupported Cisco router at a bank branch office and used it to tunnel into the bank's local network.
Posted on 20 July 2018 4:18 pm on www.databreachtoday.com
News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. A new botnet has been detected by security researchers at NewSky security, with their discovery being confirmed by researchers from Qihoo 360 Netlab, Rapid7, and Greynoise.
Posted on 20 July 2018 3:37 pm on www.itsecuritynews.info
News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Vuln: Oracle MySQL Server CVE-2018-3071 Remote Security Vulnerability.
Posted on 20 July 2018 3:37 pm on www.itsecuritynews.info
SINGAPORE: A major cyberattack on Singapore’s government health database stole the personal information of about 1.5 million people, including Prime Minister Lee Hsien Loong, the government said on Friday. The attack, which the government called “the most serious breach of personal data” that the....
Posted on 20 July 2018 3:17 pm on www.freemalaysiatoday.com
#1222259: IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day. How long does it take to build a botnet? Not long, if you consider Anarchy's 18,000-device-strong creation, brought to life in only 24 hours. First spotted by researchers from NewSky Security, as reported by....
Posted on 20 July 2018 2:59 pm on brica.de
podcasts, right here #ICYMI. In this episode: Security SOS Week Privacy – can you have too much of a good thing? Should we have more privacy to protect us from cybercriminals, or less privacy so those selfsame cybercrooks can’t hide so easily? Join Sophos security expert James Burchell for a lively....
Posted on 20 July 2018 1:14 pm on irishinfosecnews.wordpress.com
A recent report from P&S Market Research pegs the growth in the cybersecurity artificial intelligence market at 36 percent annually from 2017 through 2023, when it expects the cybersecurity artificial intelligence market to reach $18 billion. According to the research firm, the North American....
Posted on 20 July 2018 12:40 pm on businessinsights.bitdefender.com
Credit: Ben-Gurion U. cyber@bgu. NEW YORK, July 19, 2018 - Ben-Gurion University of the Negev (BGU) Malware Lab researchers have developed a new method to detect unknown, malicious emails that is more accurate than the most popular antivirus software products.
Posted on 20 July 2018 11:34 am on www.eurekalert.org
News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Florida-based HR services provider ComplyRight revealed recently that its tax reporting platform was involved in a....
Posted on 20 July 2018 10:14 am on www.itsecuritynews.info
Telecommunications executives have relegated disruption from new technologies to third place in their risk top 5: the number one risk identified by 60 telecom companies surveyed right now is exchange rate volatility, according to phone companies and internet providers.
Posted on 20 July 2018 10:09 am on irishinfosecnews.wordpress.com
New York: US President Donald Trump has invited Russian leader Vladimir Putin to Washington for a follow-up meeting in coming months, an announcement that stunned his intelligence chief when he was informed about it in front of a live audience. News of the planned meeting, revealed by White House....
Posted on 20 July 2018 8:59 am on www.smh.com.au
"Exposing schemes to the public is an important way to neutralise them," said Deputy Attorney General Rod Rosenstein, who announced the policy at the Aspen Security Forum in Colorado. Rosenstein, got a standing ovation."The American people have a right to know if foreign governments are targeting them with propaganda," he said.
Posted on 20 July 2018 5:44 am on www.smh.com.au
Microsoft said it detected and helped the US government to block Russian hacking attempts against at least three congressional candidates this year, a Microsoft executive revealed speaking at the Aspen Security Forum today. Although the company refused to name the targets but said, the three....
Posted on 20 July 2018 5:16 am on thehackernews.com
Three of the top cybersecurity officials at the FBI are planning to retire in the coming weeks, Thursday. The Wall Street Journal reported The departing officials are Assistant Director Scott Smith, who runs the FBI's cyber division; David Resch, the executive assistant director of the Criminal,....
Posted on 20 July 2018 3:35 am on thehill.com
Four days before U.S. and Russian leaders met in Helsinki, hackers from China launched a wave of brute-force attacks on internet-connected devices in Finland, seeking to gain control of gear that could collect audio or visual intelligence, a new report says.
Posted on 20 July 2018 1:48 am on www.govexec.com
News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Password-Stealing, Eavesdropping Malware Targets Ukrainian Government. News broke that a cyber espionage campaign is....
Posted on 20 July 2018 1:17 am on www.itsecuritynews.info
Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information — including names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by the company’s thousands of clients on behalf of employees.
Posted on 20 July 2018 1:17 am on www.itsecuritynews.info
ASPEN, Colo. (AP) — National Intelligence Director Dan Coats' drumbeat of criticism against Russia is clashing loudly with President Donald Trump's pro-Kremlin remarks, leaving the soft-spoken spy chief in an uncomfortable — and perhaps perilous — place in the administration.
Posted on 20 July 2018 1:08 am on article.wn.com
#1222186: C-Suite Cyber Security Awareness May Be the Key to Taking a Bite Out of Breaches. No matter how many breaches we read about, how many cautions we hear, or how many reminders we get about the importance of round-the-clock diligence, cyber security continues to slip through the cracks as a business priority too often.
Posted on 20 July 2018 12:40 am on brica.de
By Steve Holland and Andrew Osborn. WASHINGTON/MOSCOW (Reuters) - U.S. President Donald Trump rejected Russian President Vladimir Putin's proposal that Russian authorities be allowed to question American citizens, the White House said on Thursday, after the offer drew fierce criticism in the United States.
Posted on 20 July 2018 12:18 am on www.firstpost.com
A year and half into the Trump administration, Grant Schneider can remove the “acting” label from his title. Schneider, who has served as acting federal Chief Information Security Officer since January 2017, has been tapped for the role on a full time basis, the White House announced July 19.
Posted on 20 July 2018 12:12 am on fcw.com
Congress New CDM bill aims for flexibility, newer tech By Derek B. Johnson; Jul 19, 2018. The Department of Homeland Security's Continuous Diagnostics and Mitigation program hasn't been around for very long, but overseers in Congress want to make sure the cybersecurity program remains on the....
Posted on 20 July 2018 12:12 am on fcw.com
There have been at least 16 high-profile data breaches in the first half of 2018, but online retailers are being hit the hardest. A new study by cyber security firm Shape Security found that more than 90% of the login traffic of online retailers actually comes from hackers using stolen login data. Last year, 1.
Posted on 20 July 2018 12:09 am on fortune.com
Many simply call it "the problem of the password." But those five words summarize one of the most enduring challenges in the history of technology: From both a user experience (UX) and security standpoint, passwords and authentication protocols are as dangerously problematic as they are ubiquitous.
Posted on 20 July 2018 12:09 am on www.darkreading.com
News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. We spend a lot of time researching and highlighting the dangers of IoT devices.
Posted on 19 July 2018 11:28 pm on www.itsecuritynews.info
Cisco has resolved a set of critical vulnerabilities in Policy Suite which permit attackers to cause havoc in the software's databases. This week, the tech giant released a security advisory detailing four vulnerabilities which could place enterprise users at risk of information leaks, account compromise, database tampering, and more.
Posted on 19 July 2018 10:30 pm on www.zdnet.com
#1222148: The Evolution of Emotet: From Banking Trojan to Threat Distributor. Evidence indicates that Mealybug, the threat group behind Emotet, has evolved from maintaining its own custom banking Trojan to operating as a distributor of threats for other groups. Mealybug is a cyber crime actor that has been active since at least 2014.
Posted on 19 July 2018 9:03 pm on brica.de
Utimaco partners with ThothTrust to protect digital wallets and their cryptocurrency assets with Utimaco HSMs and the CryptoScript Software Development Kit (SDK). The Customizable Secure Cryptography (CSC) product offers different security levels and customization options to create a secure environment corresponding to the customer’s requirements.
Posted on 19 July 2018 8:08 pm on www.helpnetsecurity.com
Okta announced it has acquired ScaleFT. Together, Okta and ScaleFT will bring Zero Trust to the enterprise by providing organizations with a framework to protect data, without compromising on experience. As the proliferation of applications and devices continues, the network perimeter is....
Posted on 19 July 2018 8:08 pm on www.helpnetsecurity.com
News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Cyber Security Incidents: Insider Threat falls in UK (to 65%) and Germany (to 75%) post GDPR, but US risk increases (to 80%) ....
Posted on 19 July 2018 7:52 pm on www.itsecuritynews.info
Microsoft’s launched a new bug bounty program, this time for identity services. “Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions,” wrote principal security group manager Phillip Misner. specs.
Posted on 19 July 2018 7:14 pm on www.theregister.co.uk
President Donald Trump hinted on Thursday at plans for a second meeting with his Russian counterpart, Vladimir Putin, saying that he planned to work with Putin towards the implementation of key issues discussed earlier this week in Helsinki, Finland, including Israeli security concerns, nuclear proliferation, and Middle East peace.
Posted on 19 July 2018 7:10 pm on www.israelnationalnews.com
The aviation industry is growing, thanks to millions of passengers traveling around the world. According to Statista , in 2017, 36.8 million flights were operated worldwide while the Bureau of Transportation Statistics revealed [PDF] that in 2017, U.S.-based airlines transported over 746 million passengers to and from airports across the country.
Posted on 19 July 2018 7:07 pm on www.hackread.com
15 Andy Norton Despite 95 percent of CIOs expecting cyberthreats to increase over the next three years, only 65 percent of their organizations currently have a cybersecurity expert, according to a survey from Gartner. The survey also reveals that skills challenges continue to plague organizations....
Posted on 19 July 2018 7:04 pm on www.informationsecuritybuzz.com
Posted on by in Endpoint Security News Today, Massachusetts-based endpoint security solution provider Carbon Black released their “Quarterly Incident Response Threat Report” for Q2 of 2018. This report is equally concerned about the independent digital threat actor and nation-state funded hacks and....
Posted on 19 July 2018 5:30 pm on solutionsreview.com
Jon Oltsik is a principal analyst at Enterprise Strategy Group ESG and has been quoted in the Wall Street Journal, Business Week, and the New York Times. What Makes CISOs Successful? Leadership and communication skills top the list while technical skills aren’t nearly as important The CISO role....
Posted on 19 July 2018 5:14 pm on www.csoonline.com
Document Title: =============== GhostMail - (filename to link) POST Inject Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1471 Release Date: ============= 2018-06-26 Vulnerability Laboratory ID (VL-ID): =================================....
Posted on 19 July 2018 4:26 pm on cxsecurity.com
News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Microsoft Starts Identity Bounty Program with Payouts up to $100,000. Microsoft is initiating a bug bounty program that is focused on customer security.
Posted on 19 July 2018 4:18 pm on www.itsecuritynews.info
IBM has reported second-quarter profit and revenue that topped analysts’ expectations as it benefited from growth in higher-margin businesses including cyber security and cloud computing. Under CEO Ginni Rometty, Big Blue has been focussing on an array of new technologies ranging from artificial....
Posted on 19 July 2018 4:11 pm on www.techcentral.ie
Projects are leaving country for other jurisdictions. Swiss regulators are stepping up efforts to halt an exodus of cryptocurrency projects from the country, after two of only a handful of banks active in the nascent sector shut their doors on it in the last year.
Posted on 19 July 2018 2:52 pm on www.timesofmalta.com
Here’s #3 of this week’s podcasts, right here #ICYMI. In this episode: Security SOS Week Trends in malware – first ransomware, now cryptojacking, what next? When it comes to learning about the latest trends in malware, there’s no one we’d rather talk to than SophosLabs Principal Researcher Fraser Howard.
Posted on 19 July 2018 2:47 pm on nakedsecurity.sophos.com
The traditional focus of most hackers has been on software, but the historical focus of crime is on anything of value. It should come as no surprise, therefore, that as operational technology (OT) and industrial control system (ICS) infrastructure have become much more prominent components of....
Posted on 19 July 2018 2:34 pm on thecybersecurityplace.com
A new Gmail feature called "Confidential Email" requires users to click a link to access confidential emails - a feature described as a "potential emerging threat ... for nefarious activity," in a May 24 US Department of Homeland Security intelligence note obtained by ABC News.
Posted on 19 July 2018 2:19 pm on www.scmagazineuk.com
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule
Posted on 19 July 2018 12:54 pm on vfocus.net
Change Healthcare is providing healthcare leaders the keys to cloud security with Change Healthcare Security Management, which includes a “Bring Your Own Key” (BYOK) service now offered as part of the company’s cloud-based HealthQx value-based care analytics suite.
Posted on 19 July 2018 12:30 pm on www.helpnetsecurity.com
#1222087: This remote, small town is the epicentre of cybercrime in India. Unemployed youth in Jamtara in the state of Jharkhand have hoodwinked millions of Indians across the length and breadth of the country. In terms of large scale fraud, one of the most impressive feats of financial chicanery....
Posted on 19 July 2018 12:07 pm on brica.de
On Friday, a Greek court ruled that Russian national Alexander Vinnik, 38, will be sent to France to face cybercrime charges. See Also: How to Keep Your Endpoints Safe from Cybercrime French authorities have accused Vinnik of defrauding individuals worldwide, including about 100 in France, as well....
Posted on 19 July 2018 11:02 am on www.healthcareinfosecurity.com
» 0day.today (was: 1337day, Inj3ct0r, 1337db) » #0daytoday #Linux Kernel &lt; 4.14.8 Sign Extension Local Privilege Escalation Exploit [#0day #Exploit] ....
Posted on 19 July 2018 10:42 am on sec.jetlib.com
July 19, 2018. From the Start, Trump Has Muddied a Clear Message: Putin Interfered. David E. Sanger and Matthew Rosenberg. New York Times July 18, 2018 WASHINGTON Two weeks before his inauguration, Donald J. Trump was shown highly classified intelligence indicating that President Vladimir V.
Posted on 19 July 2018 10:38 am on www.matthewaid.com
Rapid7 announced integration between Rapid7’s Insight platform and Microsoft Azure. This integration provides vulnerability management, analytics-driven incident detection for hybrid environments, and agent deployment within the Azure infrastructure. Rapid7 customers utilizing Azure have, through....
Posted on 19 July 2018 9:53 am on www.helpnetsecurity.com
Coronet released a report identifying San Diego International Airport, John Wayne Airport-Orange County (CA) International Airport and Houston’s William P. Hobby International Airport as America’s most cyber insecure airports. The purpose of the report is to inform business travelers of how insecure....
Posted on 19 July 2018 9:53 am on www.helpnetsecurity.com
This summer, my family and I visited a few Arizona ghost towns, and the experience made me wonder what it might have been like to travel across the Old West with all your possessions in tow. What would it feel like to ride through mountains, deserts and territories with only a canvas-covered wagon....
Posted on 19 July 2018 6:35 am on securityboulevard.com
Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players.
Posted on 19 July 2018 6:25 am on www.security-database.com
A vulnerability in the web framework of the Cisco Unified Communications Manager IM and Presence Service software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system.
Posted on 19 July 2018 6:25 am on www.security-database.com
By Mihoko Matsubara* The Japanese government released a draft of the next Cybersecurity Strategy in June 2018 to share its vision for strengthening Japan’s cybersecurity capabilities for the coming few years. The new strategy draft is the first national security document in which endpoint security....
Posted on 19 July 2018 5:40 am on www.eurasiareview.com
Original release date: May 29, 2018 | Last revised: May 31, 2018 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government: a remote access tool (RAT), commonly known as Joanap; and a Server Message Block (SMB) worm, commonly known as Brambul. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on how to report incidents. If users or administrators detect activity associated with these malware families, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. See the following links for a downloadable copy of IOCs: IOCs (.csv) IOCs (.stix) NCCIC conducted analysis on four malware samples and produced a Malware Analysis Report (MAR). MAR-10135536.3 – RAT/Worm examines the tactics, techniques, and procedures observed in the malware. Visit MAR-10135536.3 – HIDDEN COBRA RAT/Worm for the report and associated IOCs. Description According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors. Users and administrators should review the information related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report  in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities. Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments. During analysis of the infrastructure used by Joanap malware, the U.S. Government identified 87 compromised network nodes. The countries in which the infected IP addresses are registered are as follows: Argentina Belgium Brazil Cambodia China Colombia Egypt India Iran Jordan Pakistan Saudi Arabia Spain Sri Lanka Sweden Taiwan Tunisia Malware often infects servers and systems without the knowledge of system users and owners. If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert. Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks. Technical Details Joanap Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include file management, process management, creation and deletion of directories, and node management. Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors...
Posted on 29 May 2018 3:18 pm on www.us-cert.gov
Original release date: May 25, 2018 | Last revised: June 07, 2018 Systems Affected Small office/home office (SOHO) routers Networked devices Network-attached storage (NAS) devices Overview Cybersecurity researchers have identified that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide    . The actors used VPNFilter malware to target small office/home office (SOHO) routers. VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. Specific characteristics of VPNFilter have only been observed in the BlackEnergy malware, specifically BlackEnergy versions 2 and 3. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recommend that owners of SOHO routers power cycle (reboot) SOHO routers and networked devices to temporarily disrupt the malware. DHS and FBI encourage SOHO router owners to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field . CyWatch can be contacted by phone at 855-292-3937 or by email at CyWatch@fbi.gov. Each submitted report should include as much informaiton as possible, specifically the date, time, location, type of activity, number of people, the type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Description The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilter malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices. The initial exploit vector for this malware is currently unknown. The malware uses a modular functionality on SOHO routers to collect intelligence, exploit LAN devices, and block actor-configurable network traffic. The malware can render a device inoperable, and has destructive functionality across routers, network-attached storage devices, and central processing unit (CPU) architectures running embedded Linux. The command and control mechanism implemented by the malware uses a combination of secure sockets layer (SSL) with client-side certificates for authentication and TOR protocols, complicating network traffic detection and analysis. Impact Negative consequences of VPNFilter malware infection include: temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. Solution DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware. Network device management interfaces—such as Telnet, SSH, Winbox, and HTTP—should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities. Rebooting affected devices will cause non-persistent portions of the malware to be removed from the system. Network defenders should ensure that first-stage malware is removed from the devices, and appropriate network-level blocking is in place prior to rebooting affected devices. This will ensure that second stage malware is not downloaded again after reboot. While the paths at each stage of the malware can vary across device platforms, processes running with the name "vpnfilter" are almost certainly instances of the second stage malware. Terminating these processes and removing associated processes and persistent files that execute the second stage malware would likely remove this malware from targeted devices. References  New VPNFilter malware targets at least 500K networking devices worldwide  Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage  VPNFilter Update - VPNFilter exploits endpoints, targets new devices Revision History May 25, 2018: Initial Version June 7, 2018: Added link to June 6, 2018 Cisco Talos blog update on VPNFilter This product is provided subject to this Notification and this Privacy & Use policy.
Posted on 25 May 2018 9:22 pm on www.us-cert.gov
Original release date: May 21, 2018 | Last revised: May 22, 2018 Systems Affected CPU hardware implementations Overview On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed . These variants—known as 3A and 4—can allow an attacker to obtain access to sensitive information on affected systems. Description Common CPU hardware implementations are vulnerable to the side-channel attacks known as Spectre and Meltdown. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data. Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information. Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to Read arbitrary privileged data; and Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods. Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below: Variant 1: Bounds Check Bypass – CVE-2017-5753 Variant 2: Branch Target Injection – CVE-2017-5715 Variant 3: Rogue Data Cache Load – CVE-2017-5754 Variant 3a: Rogue System Register Read – CVE-2018-3640 Variant 4: Speculative Store Bypass – CVE-2018-3639 Impact Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems. Solution Mitigation NCCIC recommends users and administrators Refer to their hardware and software vendors for patches or microcode, Use a test environment to verify each patch before implementing, and Ensure that performance is monitored for critical applications and services. Consult with vendors and service providers to mitigate any degradation effects, if possible. Consult with Cloud Service Providers to mitigate and resolve any impacts resulting from host operating system patching and mandatory rebooting, if applicable. The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available. Link to Vendor Information Date Added AMD May 21, 2018 ARM May 21, 2018 Intel May 22, 2018 Microsoft May 21, 2018 Redhat May 21, 2018 References Google Project Zero Blog Bounds Check Bypass – CVE-2017-5753 Branch Target Injection – CVE-2017-5715 Rogue Data Cache Load – CVE-2017-5754 Rogue System Register Read – CVE-2018-3640 Speculative Store Bypass – CVE-2018-3639 TA18-004A – Meltdown and Spectre Side-Channel Vulnerability Guidance Revision History May 21, 2018: Initial version May 22, 2018: Added information and link to Intel in table This product is provided subject to this Notification and this Privacy & Use policy.
Posted on 21 May 2018 11:54 pm on www.us-cert.gov
Original release date: April 16, 2018 | Last revised: April 20, 2018 Systems Affected Generic Routing Encapsulation (GRE) Enabled Devices Cisco Smart Install (SMI) Enabled Devices Simple Network Management Protocol (SNMP) Enabled Network Devices Overview Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices. NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files. Original Post: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations. DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States. The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity. For a downloadable copy of the IOC package, see TA18-106A_TLP_WHITE.stix.xml . Description Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals. Legacy Protocols and Poor Security Practice Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to identify vulnerable devices; extract device configurations; map internal network architectures; harvest login credentials; masquerade as privileged users; modify device firmware, operating systems, configurations; and copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure. Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router. Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities: devices with legacy unencrypted protocols or unauthenticated services, devices insufficiently hardened before installation, and devices no longer supported with security patches by manufacturers or vendors (end-of-life devices)...
Posted on 16 April 2018 8:25 pm on www.us-cert.gov
Original release date: March 27, 2018 | Last revised: March 28, 2018 Systems Affected Networked systems Overview According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad. On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity. Description In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow three to five bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise. Email applications are also targeted. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization's email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages. Technical Details Traditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows: Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method Leveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accounts Using the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZilla Indicators of a password spray attack include: A massive spike in attempted logons against the enterprise SSO portal or web-based application; Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String). Attacks have been seen to run for over two hours. Employee logons from IP addresses resolving to locations inconsistent with their normal locations. Typical Victim Environment The vast majority of known password spray victims share some of the following characteristics   : Use SSO or web-based applications with federated authentication method Lack multifactor authentication (MFA) Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) Use inbox synchronization, allowing email to be pulled from cloud environments to remote devices Allow email forwarding to be setup at the user level Limited logging setup creating difficulty during post-event investigations Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include: Temporary or permanent loss of sensitive or proprietary information; Disruption to regular operations; Financial losses incurred to restore systems and files; and Potential harm to an organization’s reputation...
Posted on 28 March 2018 1:00 am on www.us-cert.gov
Original release date: March 15, 2018 | Last revised: March 16, 2018 Systems Affected Domain Controllers File Servers Email Servers Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity. DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS). For a downloadable copy of IOC packages and associated files, see: TA18-074A_TLP_WHITE.csv TA18-074A_TLP_WHITE.stix.xml MIFR-10127623_TLP_WHITE.pdf MIFR-10127623_TLP_WHITE_stix.xml MIFR-10128327_TLP_WHITE.pdf MIFR-10128327_TLP_WHITE_stix.xml MIFR-10128336_TLP_WHITE.pdf MIFR-10128336_TLP_WHITE_stix.xml MIFR-10128830_TLP_WHITE.pdf MIFR-10128830_TLP_WHITE_stix.xml MIFR-10128883_TLP_WHITE.pdf MIFR-10128883_TLP_WHITE_stix.xml MIFR-10135300_TLP_WHITE.pdf MIFR-10135300_TLP_WHITE_stix.xml Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance. Description Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.  This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.” Technical Details The threat actors in this campaign employed a variety of TTPs, including spear-phishing emails (from compromised legitimate account), watering-hole domains, credential gathering, open-source and network reconnaissance, host-based exploitation, and targeting industrial control system (ICS) infrastructure. Using Cyber Kill Chain for Analysis DHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of threat actors’ activities within this framework. Stage 1: Reconnaissance The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information...
Posted on 15 March 2018 3:40 pm on www.us-cert.gov
Posted on 4 January 2018 8:47 pm on www.us-cert.gov
Original release date: November 14, 2017 | Last revised: November 22, 2017 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity. This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. For a downloadable copy of IOCs, see: IOCs ( .csv ) IOCs ( .stix ) NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see: MAR ( .pdf ) MAR IOCs ( .stix ) Description Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage: India (772 IPs) 25.4 percent Iran (373 IPs) 12.3 percent Pakistan (343 IPs) 11.3 percent Saudi Arabia (182 IPs) 6 percent Taiwan (169 IPs) 5.6 percent Thailand (140 IPs) 4.6 percent Sri Lanka (121 IPs) 4 percent China (82 IPs, including Hong Kong (12)) 2.7 percent Vietnam (80 IPs) 2.6 percent Indonesia (68 IPs) 2.2 percent Russia (68 IPs) 2.2 percent Technical Details As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality. Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications. Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words. Detection and Response This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware...
Posted on 14 November 2017 9:00 pm on www.us-cert.gov
Original release date: November 14, 2017 | Last revised: November 22, 2017 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity. This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. For a downloadable copy of IOCs, see: IOCs ( .csv ) IOCs ( .stix ) NCCIC conducted analysis on two samples of FALLCHILL malware and produced a Malware Analysis Report (MAR). MAR-10135536-A examines the tactics, techniques, and procedures observed in the malware. For a downloadable copy of the MAR, see: MAR ( .pdf ) MAR IOCs ( .stix ) Description According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL. During analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network nodes. Additionally, using publicly available registration information, the U.S. Government identified the countries in which the infected IP addresses are registered. Technical Details FALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting, communication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies as shown in figure 1. Figure 1. HIDDEN COBRA Communication Flow FALLCHILL uses fake Transport Layer Security (TLS) communications, encoding the data with RC4 encryption with the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82]. FALLCHILL collects basic system information and beacons the following to the C2: operating system (OS) version information, processor information, system name, local IP address information, unique generated ID, and media access control (MAC) address. FALLCHILL contains the following built-in functions for remote operations that provide various capabilities on a victim’s system: retrieve information about all installed disks, including the disk type and the amount of free space on the disk; create, start, and terminate a new process and its primary thread; search, read, write, move, and execute files; get and modify file or directory timestamps; change the current directory for a process or file; and delete malware and artifacts associated with the malware from the infected system. Detection and Response This alert’s IOC files provide HIDDEN COBRA indicators related to FALLCHILL. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware...
Posted on 14 November 2017 8:09 pm on www.us-cert.gov
Original release date: October 20, 2017 | Last revised: March 15, 2018 Systems Affected Domain Controllers File Servers Email Servers Overview This alert has been superseded by newer information. The old alert is provided below for historical reference only. For the newest version, please see TA18-074A . This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks. DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity. For a downloadable copy of IOC packages and associated files, see: TA17-293A_TLP_WHITE.csv TA17-293A_TLP_WHITE_stix.xml MIFR-10127623_TLP_WHITE.pdf MIFR-10127623_TLP_WHITE_stix.xml MIFR-10128327_TLP_WHITE.pdf MIFR-10128327_TLP_WHITE_stix.xml MIFR-10128336_TLP_WHITE.pdf MIFR-10128336_TLP_WHITE_stix.xml MIFR-10128830_TLP_WHITE.pdf MIFR-10128830_TLP_WHITE_stix.xml MIFR-10128883_TLP_WHITE.pdf MIFR-10128883_TLP_WHITE_stix.xml MIFR-10135300_TLP_WHITE.pdf MIFR-10135300_TLP_WHITE_stix.xml Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance. Description Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict.  Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns. Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity. Of specific note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.  This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks. The initial victims are referred to as “staging targets” throughout this alert. The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as “intended target.” Technical Details The threat actors in this campaign employed a variety of TTPs, including: open-source reconnaissance, spear-phishing emails (from compromised legitimate accounts), watering-hole domains, host-based exploitation, industrial control system (ICS) infrastructure targeting, and ongoing credential gathering. Using Cyber Kill Chain for Analysis DHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of activity within this framework. Stage 1: Reconnaissance The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. It is known that threat actors are actively accessing publicly available information hosted by organization-monitored networks. DHS further assesses that threat actors are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations...
Posted on 21 October 2017 1:50 am on www.us-cert.gov